THORChain Warns of Fake Refund Scams After $10M Hack Reports

THORChain is fighting two battles simultaneously. It is investigating a $10 million exploit and now warning its community about a wave of scams exploiting the chaos. On May 16, 2026, THORChain issued an urgent public warning. After multiple fake accounts began circulating false information about “refunds,” “airdrops,” and compensation programs tied to the hack. The protocol was unambiguous.

THORChain incident update #2
We have become aware of multiple fake accounts and false information circulating regarding “refunds”, “airdrops”, compensation claims, and other alleged initiatives.

To be absolutely clear:
– Initial findings indicate that no user funds were…

— THORChain (@THORChain) May 16, 2026

Crypto hack news this week has a dangerous second chapter. Falling for the scam could cost victims more than the original exploit did.

What Actually Happened to THORChain

The attack struck on May 15, targeting one of THORChain’s six Asgard vaults across Bitcoin, Ethereum, BNB Chain, and Base simultaneously. Blockchain investigator ZachXBT first identified and quantified the losses at $10.7 million, approximately 36.75 BTC. Including $7 million in EVM tokens routed across four chains.

THORChain incident update #1
THORChain contributors shared a new update in the dev discord regarding the ongoing incident.

TLDR
– Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor

– The leading theory is an…

— THORChain (@THORChain) May 15, 2026

THORChain’s update revealed the technical root cause. A newly churned node: thor16…n84q, that entered the network several days before the attack is believed to be directly associated with the exploit. The leading theory is an attack on the GG20 Threshold Signature Scheme implementation. This allowed vault key material to leak gradually over time. By accumulating enough leaked information, the attacker reconstructed the vault’s private key and executed unauthorized outbound transactions.

The network’s automated detection system flagged the unusual behavior and halted signing activity. It prevented additional outbound transactions and limited the damage to a single vault. Initial indications confirm no individual user swap funds were affected. Only protocol-owned liquidity was hit.

The Scam Wave Arrives

Within hours of the exploit becoming public, bad actors launched coordinated impersonation campaigns. Fake websites, including one mimicking a THORChain “Asset Recovery & Approval Revoke Portal,” appeared. That promising treasury-backed refunds for affected wallets. These sites request wallet connections and signatures, the exact mechanism needed to drain funds from anyone who connects.

THORChain’s official warning is direct and should be treated as the only authoritative source. The investigation is ongoing alongside THORSec and Outrider Analytics. Recovery discussions are actively considering multiple approaches: slashing affected node bonds, using Protocol-Owned Liquidity to absorb losses, or community-driven proposals. No final decisions have been made.

What This Means for Investors and Developers

For THORChain users, the security guidance is straightforward. Rely exclusively on the official THORChain handle for updates. Additionally, do not connect wallets to any site claiming to offer refunds or approval revocations related to this incident.

For DeFi developers, the GG20 TSS vulnerability is the technical takeaway that demands attention. Threshold signature schemes are widely used across cross-chain infrastructure. A vulnerability that allows key material to leak gradually. Rather than through a single attack. It represents a class of risk that requires active monitoring, regular key rotation, and rigorous node vetting before churning.

THORChain’s automated pause mechanism worked. The scammers working the aftermath are the next threat to defend against.